SGS: Safe-Guard Scheme for Protecting Control Plane Against DDoS Attacks in Software-Defined Networking
TLDR
A safe-guard scheme (SGS) for protecting control plane against DDoS attacks is proposed, and the main characteristic of SGS is deploying multi-controller in control plane through the controller’s clustering.Abstract:
Software-defined networking (SDN) achieves flexible and efficient network management by decoupling control plane from the data plane, where the controller with a global network view is responsible for planning routing for packets. However, the centralized design makes the controller become a potential bottleneck, and adversaries can exploit this vulnerability to launch distributed denial-of-service (DDoS) attacks to the controller. Existing solutions are fundamentally based forged traffic analysis, increasing computational cost and being prone to produce false positives. This paper proposes a safe-guard scheme (SGS) for protecting control plane against DDoS attacks, and the main characteristic of SGS is deploying multi-controller in control plane through the controller’s clustering. SGS procedures are organized in two modules: anomaly traffic detection and controller dynamic defense. Anomaly traffic detection focuses on switches in data plane to distinguish forged flows from legitimate ones by innovatively adopting four-tuple feature vector. Controller dynamic defense mitigates DDoS attacks’ effects on control plane by remapping controller and sending the access control message to switches. The simulation results demonstrate the efficiency of our proposed SGS with real-time DDoS attack defense and high detection accuracy, as well as high-efficiency network resource utilization.read more
Citations
More filters
Journal ArticleDOI
Detection and mitigation of DDoS attacks in SDN: A comprehensive review, research challenges and future directions
Jagdeep Singh,Sunny Behal +1 more
TL;DR: This paper systematically reviews around 70 prominent DDoS detection and mitigation mechanisms in SDN networks and deliberates on various open research issues, gaps and challenges in the deployment of a secure SDN-based DDoS defence solution.
Journal ArticleDOI
DDoS Attack Detection Method Based on Improved KNN With the Degree of DDoS Attack in Software-Defined Networks
Shi Dong,Mudar Sarem +1 more
TL;DR: The results of the theoretical analysis and the experimental results on datasets show that the proposed methods can better detect the DDoS attack compared with other methods.
Journal ArticleDOI
A New Framework for DDoS Attack Detection and Defense in SDN Environment
TL;DR: A new framework of cooperative detection methods of control plane and data plane is proposed, which effectively improve the detection accuracy and efficiency, and prevent DDoS attacks on SDN.
Journal ArticleDOI
New-flow based DDoS attacks in SDN: Taxonomy, rationales, and research challenges
Maninder Singh,Abhinav Bhandari +1 more
TL;DR: A classification of such security vulnerabilities exposed by SDN architecture and leveraged by a new-flow based DDoS attack is proposed and an analysis of the latest developments made in recent years on DDoS detection and mitigation research works to overcome these security vulnerabilities is provided.
Journal ArticleDOI
Low-Rate DDoS Attack Detection Based on Factorization Machine in Software Defined Network
TL;DR: A defense method based on dynamic deletion of flow rules, and carries out experimental simulation and analysis to prove the effectiveness of the defense method, and the success rate of forwarding normal packets reached 97.85 percent.
References
More filters
Journal ArticleDOI
OpenFlow: enabling innovation in campus networks
Nick McKeown,Thomas Anderson,Hari Balakrishnan,Guru Parulkar,Larry L. Peterson,Jennifer Rexford,Scott Shenker,Jonathan S. Turner +7 more
TL;DR: This whitepaper proposes OpenFlow: a way for researchers to run experimental protocols in the networks they use every day, based on an Ethernet switch, with an internal flow-table, and a standardized interface to add and remove flow entries.
Journal ArticleDOI
A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks
TL;DR: The primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
Journal ArticleDOI
Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges
TL;DR: This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoSDoS attacks, which are important for the smooth evolution ofSDN-based cloud without the distraction ofDDoS attacks.
Proceedings ArticleDOI
Logically centralized?: state distribution trade-offs in software defined networks
TL;DR: The state exchange points in a distributed SDN control plane are characterized and two key state distribution trade-offs are identified and simulated in the context of an existing SDN load balancer application.
Proceedings ArticleDOI
FLOWGUARD: building robust firewalls for software-defined networks
TL;DR: This work introduces FlowGuard, a comprehensive framework, to facilitate not only accurate detection but also effective resolution of firewall policy violations in dynamic OpenFlow-based networks.